freifunk/Ansible-Configuration Files · bind/setup_dns.yml · Chaos Computer Club Lëtzebuerg Projects

Files @ a1962a4cdc68

Branch filter:

Location: freifunk/Ansible-Configuration/bind/setup_dns.yml - annotation

a1962a4cdc68 3.8 KiB text/x-yaml Show Source Show as Raw Download as Raw

fix: fastd secret permissons

ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769
ea8a5b93b769

---
# Defining the remote server where the package will be deployed
- name: "Setup DNS on machine"
  hosts: dns
  become: true
  tasks:
    - name: Install bind9
      ansible.builtin.apt:
        name:
          - bind9
          - bind9-utils
          - bind9-doc
          - bind9-dnsutils
        state: present

    - name: Get IPv4 address of br-fflux if connected to VPN
    # ip addr show dev br-fflux primary scope global | sed -e's/^.*inet \([^ ]*\)\/.*$/\1/;t;d'
      ansible.builtin.shell: ip -4 addr show dev br-fflux primary scope global | sed -e's/^.*inet \([^ ]*\)\/.*$/\1/;t;d'
      register: ipv4_addr
      changed_when: false
      failed_when: ipv4_addr.stdout == ""
      ignore_errors: true
    - name: Get IPv6 address of br-fflux if connected to VPN
    # ip addr show dev br-fflux primary scope global | sed -e's/^.*inet6 \([^ ]*\)\/.*$/\1/;t;d'
      ansible.builtin.shell: ip -6 addr show dev br-fflux primary scope global | sed -e's/^.*inet6 \([^ ]*\)\/.*$/\1/;t;d'
      register: ipv6_addr
      changed_when: false
      failed_when: ipv6_addr.stdout == ""
      ignore_errors: true
      when: not ipv4_addr.failed

    - name: Copy bind9 files
      ansible.builtin.copy:
        src: "{{ server_config_dir }}/bind/{{ item }}"
        dest: "/etc/bind/{{ item }}"
        owner: root
        group: root
        mode: "0644"
      loop:
        - db.freifunk.lu
        - named.conf
        - named.local.conf
    - name: Copy named.options.conf with template (IP for local resolving)
      ansible.builtin.template:
        src: "{{ server_config_dir }}/bind/named.options.conf.j2"
        dest: "/etc/bind/named.options.conf"
        owner: root
        group: root
        mode: "0644"

    # We keep the content of default-zones, but we don't use the same name. We prefer "named.NAME.conf" instead of "named.conf.NAME"
    - name: Check if default-zones has been moved
      ansible.builtin.stat:
        path: /etc/bind/named.conf.default-zones
      register: default_zones
    - name: Move default-zones
      ansible.builtin.copy:
        remote_src: true
        src: /etc/bind/named.conf.default-zones
        dest: /etc/bind/named.default-zones.conf
        owner: root
        group: root
        mode: "0644"
      when: default_zones.stat.exists
    - name: Delete previous default-zones
      ansible.builtin.file:
        path: /etc/bind/named.conf.default-zones
        state: absent
      when: default_zones.stat.exists

    - name: Delete default bind9 files
      ansible.builtin.file:
        path: /etc/bind/{{ item }}
        state: absent
      loop:
        - named.conf.local
        - named.conf.options

    # Make sure nobody else binds to port 53
    - name: Make sure systemd-resolved does not bind to port 53
      ansible.builtin.lineinfile:
        path: /etc/systemd/resolved.conf
        regexp: '^#DNSStubListener=yes$'
        line: 'DNSStubListener=no'
        state: present
        owner: root
        group: root
        mode: "0644"
      failed_when: false # If the file doens't exist, it's not a problem
    - name: Reload systemd-resolved
      ansible.builtin.service:
        name: systemd-resolved
        state: reloaded
      failed_when: false # If resolved doesn't exist, it's not a problem
    - name: Make sure dnsmasq doesn't bind to port 53
      ansible.builtin.lineinfile:
        path: /etc/dnsmasq.conf
        regexp: '^port=53$'
        line: 'port=0'
        state: present
        owner: root
        group: root
        mode: "0644"
      failed_when: false # If the file doens't exist, it's not a problem
    - name: Reload dnsmasq
      ansible.builtin.service:
        name: dnsmasq
        state: reloaded
      failed_when: false # If dnsmasq doesn't exist, it's not a problem

    - name: Enable and start bind9
      ansible.builtin.service:
        name: bind9
        state: started
        enabled: true